DHS nppd-cyber-ecosystem-white-paper-03-23-2011.pdf

7/28/2019 DHS nppd-cyber-ecosystem-white-paper-03-23-2011.pdf

1/29

EnablingDistributed

SecurityinCyberspaceBuildingaHealthyandResilientCyber

Ecosystemwith

Automated

Collective

Action

March23,2011


2/29

March23,2011 2

EnablingDistributedSecurityinCyberspaceBuildingaHealthyandResilientCyberEcosystemwithAutomatedCollective

ActionExecutive

Summary

Likenaturalecosystems,thecyberecosystemcomprisesavarietyofdiverseparticipants

privatefirms,nonprofits,governments,individuals,processes,andcyberdevices(computers,

software,andcommunicationstechnologies)thatinteractformultiplepurposes. Todayin

cyberspace,intelligentadversariesexploitvulnerabilitiesandcreateincidentsthatpropagateat

machinespeedstostealidentities,resources,andadvantage. Therisingvolumeandvirulence

oftheseattackshavethepotentialtodegradeoureconomiccapacityandthreatenbasic

servicesthatunderpinourmodernwayoflife.

Thisdiscussionpaperexplorestheideaofahealthy,resilientandfundamentallymoresecure

cyberecosystemofthefuture,inwhichcyberparticipants,includingcyberdevices,areable

towork

together

in

near

real

time

to

anticipate

and

prevent

cyber

attacks,

limit

the

spread

of

attacksacrossparticipatingdevices,minimizetheconsequencesofattacks,andrecovertoa

trustedstate. Inthisfuturecyberecosystem,securitycapabilitiesarebuiltintocyberdevicesin

awaythatallowspreventiveanddefensivecoursesofactiontobecoordinatedwithinand

amongcommunitiesofdevices. Powerisdistributedamongparticipants,andnearrealtime

coordinationisenabledbycombiningtheinnateandinteroperablecapabilitiesofindividual

deviceswithtrustedinformationexchangesandshared,configurablepolicies.

Toilluminatesuchacyberecosysteminaction,onemightlookattodayspracticeknownas

continuousmonitoring,inwhichsystemmanagersuseavarietyofsoftwareproductsto

automaticallydetectandreportknownsecurityvulnerabilitiesinnetworknodes. Insome

cases,system

managers

further

configure

their

systems

to

automatically

remediate

detected

securitydeficiencies. Toofferananalogy,continuousmonitoringistoahealthycyber

ecosystemassmokedetectorsandsprinklersystemsaretoasmartbuilding.

Attheotherendofsophisticationintheorderlymanagementofacomplexsystem,wedraw

inspirationfromthehumanbodysimmunesystem. Topaintapicturethatmirrorsthebodys

abilitytodefenditselfiscomplex. Itmightincludelayereddefensesandcountermeasuresthat

workintandem;specializedroles;powerfulmethodsforrapidlyidentifyingattackers;surge

capabilities;andtheabilitytolearnandrapidlyadapt. Acompanionanalogymaybemadeto

thepublichealthsystemandtheCentersforDiseaseControlandPrevention(CDC). Here,cyber

equivalentfunctionsmightincludethreatandincidentwatch,datadissemination,threat

analysis,intervention

recommendations,

and

coordination

of

preventive

actions.

Automationisoneofthreeinterdependentbuildingblocksofahealthycyberecosystem,along

withinteroperabilityandauthentication. Automationcanincreasespeedofaction,optimize

decisionmaking,andeaseadoptionofnewsecuritysolutions. Ahealthycyberecosystem

mightemployanautomationstrategyoffixed,localdefensessupportedbymobileandglobal

defensesatmultiplelevels. Suchastrategycouldenablethecyberecosystemtosustainitself


3/29

March23,2011 3

andsupportedmissionswhilefightingthroughattacks. Further,itcouldenabletheecosystem

tocontinuouslystrengthenitselfagainstthecyberequivalentofautoimmunedisorders.

Interoperabilitycanbroadenandstrengthencollaboration,createnewintelligence,hastenand

spreadlearning,andimprovesituationalawareness. Thispaperpositsthreetypesof

interoperabilitysemantic(i.e.,sharedlexiconbasedoncommonunderstanding),technical,

andpolicy

as

fundamental

to

integrating

disparate

cyber

participants

into

acomprehensive

cyberdefensesystem. Itexamineshowthecybersecuritycommunityhasachievedsomeearly

successesbyexplicitlyseparatingthemanagementofsecurityinformationfromthe

managementofsecurityfunctionsinanapproachcalledsecuritycontentautomation. Such

successesinclude:developingnamingconventionsandsharedlistsandcatalogsofthe

fundamentalelementsthatweidentifyhereastheecosystem;creatingandusingmachine

readablelanguagesandformatsforexpressingsecuritypoliciesorencodingsecurity

transactions;anddevelopingandusingknowledgerepositoriesforbestpractices,benchmarks,

profiles,standards,templates,checklists,tools,guidelines,rulesandprinciples,amongothers.

Thepaperalsolooksatsomechallengesassociatedwithexpandingthisapproachtoensurea

widelydistributed,

automated,

collective

defense.

Authenticationcanimprovetrustinwaysthatenhanceprivacyanddecisionmaking. Itis

integraltomanycapabilitiesbeyondcyberdefense,andthepaperlookstotheemerging

NationalStrategyforTrustedIdentitiesinCyberspace(NSTIC),detailedbelow,tobuildashared

foundation. Thepapercallsforidentificationandauthenticationtechnologiesthatdeliver

acrossfiveoperationalobjectives:security,affordability,easeofuseandadministration,

scalability,andinteroperability. Additionally,thepapercallsforconsumerguidesthatrate

technologiesacrossallfiveobjectivesandassistsystemdevelopersandownersinmaking

phasedimprovementsandselections. Forautomatedcyberdefense,itcallsforstrong

standardsbaseddeviceauthentication,includingforsoftware,handhelddevices,andsmall,

oftenwireless,

devices

composing

massively

scalable

grids.

Thepaperalsodrawsoncurrentresearchonnetworkenabledenterprisesthatisrecasting

traditionalnotionsofcommandandcontrolinthedirectionoffocusandconvergence. Focus

providesthecontextanddefinesthepurposesofanendeavor,butisagnosticregardingwho

mightbeinchargeorparticularlinesofauthority. Convergencereferstothegoalseeking

processthatguidesactionsandeffects,butrecognizesthatcontrolworksinanunconventional

mannerinhighlydistributedsystems. Thepaperpresentsafivelevelmaturitymodelfor

ecosystemfocusandconvergencethatisassociatedwithincreasingagilityandprovidesan

approachfordefininghowtoachieveandemploythesevariouslevels. Ecosystemmaturityis

furtherexploredthroughadiscussionofhealthyattributeseightfortheecosystemand

eighteenfor

participants

and

exchanges.

Thepaperconcludeswithabriefdiscussionofincentivesandrecommendationsfortheway

ahead. Itpositsthattheslowadoptionofavailablebestpracticesandtechnologiesintheface

ofincreasingcyberattacksindicatesanimbalanceofincentivesandproposesthatbetterand

morewidelydisseminatedaggregatedandanonymizedinformationaboutthefrequencyand

actualharmofcyberattacksisneeded. Despitethemanyopenquestionsremaining,thefield

isripeforplanningandaction. Feedbackonthispaperandcommentonallaspectsofthe

[email protected].
mailto:[email protected]:[email protected]


4/29

March23,2011 4

TableofContentsExecutiveSummary............................................................................................................................... 2

BackgroundandPurpose...................................................................................................................... 5

TheCaseforaMoreSecureCyberEcosystem ..................................................................................... 5

BuildingBlocksforaHealthyCyberEcosystem.................................................................................... 8

BuildingBlock1: Automation........................................................................................................... 8

BuildingBlock2: Interoperability................................................................................................... 11

BuildingBlock3: Authentication.................................................................................................... 17

KeyConcepts....................................................................................................................... ................ 18

Focus,Convergence,

and

Maturity................................................................................................. 18

AttributesofaHealthyCyberEcosystem ....................................................................................... 22

AttributesofHealthyParticipants .................................................................................................. 24

IncentivesandAdoption..................................................................................................................... 26

WayAhead.......................................................................................................................... ................ 27

Glossary....................................................................................................................... ........................ 28


5/29

March23,2011 5

BackgroundandPurposeThispaperwaspreparedunderthedirectionofPhilipReitinger,DeputyUnderSecretaryforthe

NationalProtectionandProgramsDirectorate(NPPD),U.S.DepartmentofHomelandSecurity,

withsupportfromtheNPPDCyber+StrategyStaff,thefederallyfundedHomelandSecurity

SystemsEngineeringandDevelopmentInstitute(HSSEDI),andtheNPPDOfficeof

CybersecurityandCommunications(CS&C). In2010,NPPDsponsoredagovernmentworkshop

todiscussadraftofthispaper. Recommendationsfromthatworkshophavebeen

incorporated.

Thispaperexploresafutureahealthycyberecosystemwherecyberdevicescollaboratein

nearrealtimeintheirowndefense. Inthisfuture,cyberdeviceshaveinnatecapabilitiesthat

enable

them

to

work

together

to

anticipate

and

prevent

cyber

attacks,

limit

the

spread

of

attacksacrossparticipatingdevices,minimizetheconsequencesofattacks,andrecovertoa

trustedstate.

Thispaperpresentsthreebuildingblocksasfoundationalforahealthycyberecosystem:

automation,interoperability,andauthentication. Thepaperthenconsidershowthesebuilding

blockscontributetoecosystemmaturityandexploresincentivesforcreatingsuchasystem. It

concludeswiththoughtsonthewayahead.

Theenvisionedendstateisfocusedspecificallyoncapabilitiesthatcanbeachievedinthenear

andmidtermbyutilizingstandardsbasedsoftwareandinformationtostrengthenselfdefense

throughautomatedcollectiveaction.Thispaperismeanttoprovokediscussionandfurther

explorationof

the

topic.

Thispaperisavailableonlineathttp://www.dhs.gov/xlibrary/assets/nppd-healthy-cyber-ecosystem.pdf.

Commentsandfeedbackarewelcome,[email protected]. You

mayalsocontactcyberfeedback@dhs.govifyouareinterestedinhostingadiscussiononthis

topic.

TheCaseforaMoreSecureCyberEcosystemCyberattackshavebecomemorefrequent,morewidespread,andmoreconsequential.

Forecastsfor2011andbeyondprojectcontinuedincreasesinboththevolumeandvirulenceof

cyberattacks.

These

mostly

unattributed

incidents

reduce

the

availability

of

this

vital

medium

forinformationexchangeandimpairtheabilityoftheinformationenvironmenttobeamission

multiplierandsupportmoreeffectiveandefficientbusinessprocesses. Needlesstosay,an

insecureenvironmentalsoweakenstheprivacyofcyberecosystemparticipants.
http://www.dhs.gov/xlibrary/assets/nppd-healthy-cyber-ecosystem.pdfmailto:[email protected]:[email protected]://www.dhs.gov/xlibrary/assets/nppd-healthy-cyber-ecosystem.pdf


6/29

Atthesametime,theNationissignificantly

expandingthecybercapabilitiesthatpower

itseconomyandsupportitshomelandand

nationalsecurity. Thetransformationsbeing

undertakeninthefinancial,healthcare,

energy,transportation,

homeland

security,

defense,andintelligencesectorsare

predicatedonanexpectationthatcyber

devices(computers,software,and

communicationstechnologies),

communicationsnetworks,andembedded

controlsystemsforcriticalinfrastructureswill

beavailableandperformasexpected. (As

examples,seeFigures1and2forprofilesof

TheNextGenerationAirTransportation

SystemandSmartGrid.)

Figure1: NextGenerationAirTransportationSystem

(NextGen)

NextGenisacomprehensiveoverhaulofU.S.nationalairspace

systemfromairtrafficcontroltoairtrafficmanagementand

fromgroundbasedtosatellitebasedcapabilities. Itis

employingcontinuous

roll

out

of

improvements

and

upgrades

tomakeairtravelmoreconvenientanddependable,more

economical,andmoreenvironmentallyfriendly,while

ensuringflightsareassafe,secureandhasslefreeaspossible.

NextGenoffersadvantagestoallstakeholders:consumers,

serviceproviders,neighbors(e.g.,noisereduction),andthe

environment.

TheNextGenportfolioisorganizedintosevensolutionsets,

eachfocusingonaseriesofrelatedoperationalchangesthat

togetherwillbringaboutthemidtermsystem.

TheNextGenInformationSystemsSecurityArchitecture

addresseshowto:

Keepthe

Bad

Stuff

Out

(external

boundary

protectionandcertifiedsoftwaremanagement

MakeSureYouKnowToWhomYouAreTalking(identityandkeymanagement)

IfTheyGetIn,MakeSureYouFindThemandDealWiththeProblem(intrusiondetectionandresponse)

MinimizeDamageOnceIn;DontLetitSpread(internalpolicyenforcement)

http://www.faa.gov/nextgen/

Cyberdefensetodayisfoundedonadhoc,

manualprocesses;yetcyberattacksoften

followawellknown,systematicescalation

pathbeginningwithreconnaissanceactivities

andextendingtogainingentry,establishing

persistence,settingupexternal

communicationspathways,andconducting

attackoperations. Ifcyberdevices

communicatedinnearrealtimewitheach

otheraboutattacks,andtookcoordinated

securityhardeningresponseactions

consistentwithadefinedpolicyframework,

thencriticalbusiness,missionandprivacy

objectivescouldbebettersupported,and

manysecurityriskscouldbemanaged

proactivelyanddynamically. Automated

defensescouldbeeffectiveattheearliest,

leastcostlystageofthelifecycleaswellasat

thelaterstagesofanattackwhenmalicious

codeandotherattackelementspropagateat

machinespeed.

These

defenses

could

be

effectiveagainstallthreatsincludingfinancial

fraud,identitytheft,andadvanced,persistent

threatsthatexploitunauthorizedaccessto

intellectualpropertyandsensitive

information.

Figure2:SmartGrid

SmartGridcomprisestheelectrictransmissionand

distributionsystemsandmyriadsoflocalareanetworksthat

usedistributedenergyresourcestoservelocalloadsand/orto

meetspecificapplicationrequirementsforremotepower,

villageordistrictpower,premiumpower,andcriticalloads

protection.

Electricgridstakeholdersrepresentingutilities,technology

providers,researchers,policymakers,andconsumershave

workedtogethertodefinethefunctionsofasmartgrid,and

theyhaveidentifiedthefollowingcharacteristicsor

performancefeatures:

Selfhealingfrompowerdisturbanceevents

Enablingactive

participation

by

consumers

in

demand

response

Operatingresilientlyagainstphysicalandcyberattack

Providingpowerqualityfor21stcenturyneeds

Accommodatingallgenerationandstorageoptions

Enablingnewproducts,services,andmarkets

Optimizingassetsandoperatingefficiently

http://www.oe.energy.gov/smartgrid.htmInJanuary2003,theSlammerworminfected

some247,000Internethosts. Over90

March23,2011 6
http://www.faa.gov/nextgen/http://www.faa.gov/nextgen/http://www.oe.energy.gov/smartgrid.htmhttp://www.oe.energy.gov/smartgrid.htmhttp://www.faa.gov/nextgen/http://www.faa.gov/nextgen/


7/29

March23,2011 7

percentoftheinfectionsoccurredwithin10minutesofrelease,andthewormachieveditsfull

scanningrate(over55millionscanspersecond)inapproximately3minutes. WhileSlammer

didnotcarryamaliciouspayload,thevolumeoftrafficitproducedswampednetworks,causing

disconnectedATMs(over13,000reportedbyasinglebank),cancelledairlineflights,and

disruptedelectionsand911services. Cleanupcostsworldwidewereestimatedatbetween

$750million

and

$1.2

billion

1 2

.

Recently,more

highly

sophisticated

and

targeted

attacks

have

beenregularlyreported.

Imagineafuturewherecyberdeviceshaveaninnateabilitytocorrelateoperational

informationandtodeducethatadeviceintheirdomainhasbeeninfectedwithpossible

malware. Oneindicatormightbeanunusuallyhighnumberofrandomconnectionrequests

andacorrespondinghighfailurerate. Thescenario:

Ahealthydevicedetectsaninfectioninanotherdevice. (Adiscussionofhealthy

participantspersons,devices,andprocessesisprovidedlaterin thispaper);

Thedevicestopsreceivingandforwardingmessagesfromtheinfectedsourceand

informssurroundinghealthydevicesabouttheidentityofthesuspectedthreat;

Healthydevicesreceivingthethreatalertemployathresholddefensetominimizethe

riskoffalsealarmsthatis,theydeferactionuntilalertsarereceivedfromsomepre

determinednumberofindependentdevices;

Thealertthresholdisreached,andparticipatinghealthydevicesstopreceivingand

forwardingmessagesfromtheinfecteddevice,effectivelyneutralizingitsabilityto

spreadtheinfection;andfinally

Communicationsarereestablishedwhentheinfecteddevicesarecleaned.

Somesimulations3

4indicatethatabout30to35percentofdeviceswouldneedtocooperatein

orderforsuchacourseofactiontowork. Thesenumbersareimportant,becausetheyindicate

thatsuccess

is

not

dependent

on

the

participation

of

all

or

even

amajority

of

devices;

therefore,largescaleinfrastructuremodificationisnotrequiredtomaketheecosystem

fundamentallymoresecure.5

Thedefensespresentinahealthycyberecosystemcouldinterveneatessentiallyanypoint

duringcomplexattacks. Forexample,analertcouldcomefromtrustedandauthenticated

sourcessuchasotherdevicesinsidetheinfrastructurethatdetectanomalousbehavior,

anothercompanyorentityunderattack,amonitoringservice,ortheUnitedStatesComputer

1 SeanP.Gorman,RajendraG.Kulkarni,LarieA.Schintler,andRogerR.Stough,LeastEffortStrategiesfor

Cybersecurity,http://arxiv.org/ftp/cond

mat/papers/0306/0306002.pdf

2 AnilAnanthaswamy,Internetimmunitysystempromisestodefangwormattacks,

http://www.newscientist.com/article/mj20327215.000internetimmunesystemcouldblockviruses.html3 Gormanetal

4 Ananthaswamy

5 SeeUsingExternalSecurityMonitorstoSecureBGP,PatrickReynolds,OliverKennedy,EminGunSirer,andFred.

B.Schneiderathttp://www.cs.cornell.edu/fbs/publications/NexusBGPtr.pdfforanotherindicatorthat

ecosystemhealthcouldbeimprovedwithmarginalimpacttoexistingdevices,protocols,andoperations.

Reynoldsetalsaythatdeployinganexternalsecuritymonitortoarandom10%ofautonomoussystemsinthe

Internetsufficestoguaranteesecurityfor80%ofInternetrouteswherebothendpointsaremonitored.
http://arxiv.org/ftp/cond-mat/papers/0306/0306002.pdfhttp://arxiv.org/ftp/cond-mat/papers/0306/0306002.pdfhttp://arxiv.org/ftp/cond-mat/papers/0306/0306002.pdfhttp://www.newscientist.com/article/mj20327215.000-internet-immune-system-could-block-viruses.htmlhttp://www.newscientist.com/article/mj20327215.000-internet-immune-system-could-block-viruses.htmlhttp://www.newscientist.com/article/mj20327215.000-internet-immune-system-could-block-viruses.htmlhttp://www.newscientist.com/article/mj20327215.000-internet-immune-system-could-block-viruses.htmlhttp://www.newscientist.com/article/mj20327215.000-internet-immune-system-could-block-viruses.htmlhttp://www.newscientist.com/article/mj20327215.000-internet-immune-system-could-block-viruses.htmlhttp://www.newscientist.com/article/mj20327215.000-internet-immune-system-could-block-viruses.htmlhttp://www.newscientist.com/article/mj20327215.000-internet-immune-system-could-block-viruses.htmlhttp://www.newscientist.com/article/mj20327215.000-internet-immune-system-could-block-viruses.htmlhttp://www.newscientist.com/article/mj20327215.000-internet-immune-system-could-block-viruses.htmlhttp://www.newscientist.com/article/mj20327215.000-internet-immune-system-could-block-viruses.htmlhttp://www.newscientist.com/article/mj20327215.000-internet-immune-system-could-block-viruses.htmlhttp://www.newscientist.com/article/mj20327215.000-internet-immune-system-could-block-viruses.htmlhttp://www.cs.cornell.edu/fbs/publications/NexusBGPtr.pdfhttp://www.cs.cornell.edu/fbs/publications/NexusBGPtr.pdfhttp://www.newscientist.com/article/mj20327215.000-internet-immune-system-could-block-viruses.htmlhttp://arxiv.org/ftp/cond-mat/papers/0306/0306002.pdf


8/29

March23,2011 8

EmergencyReadinessTeam(USCERT). Iffromanexternalsource,thealertcouldcomedirectly

intoanentityssystemsandinaformatsuchaseXtendedMarkupLanguage(XML)thatcyber

devicescouldread. Inresponsetothealert,theinfrastructurecouldautomaticallycheckitself

thennotifyofficialsoftheexactlocationandextentofcompromiseorofsusceptibilitytoa

potentialattack. Inresponse,adigitalpolicy(i.e.,machineinstructions)couldbedeployedto

takeinfected

devices

offline,

change

the

configuration

of

healthy

devices

to

harden

them

againstpotentialattack,blocktheincomingmalware,orblockoutboundtraffictothereceiving

site(s). Immediatelyupondetectionofacompromise,adigitalpolicycouldbedeployedtoalert

othersofthesituationandbeginsharingdiscoveriesinaninformationexchangeformatthat

couldbeauthenticatedandautomaticallyfedintocyberdevicesinothercyberinfrastructures.

Ahealthycyberecosystemwouldinteroperatebroadly,collaborateeffectivelyinadistributed

environment,respondwithagility,andrecoverrapidly. Witharichwebofsecurity

partnerships,sharedstrategies,preapprovedandprepositioneddigitalpolicies,interoperable

informationexchanges,andhealthyparticipantspersons,devices,andprocessesa

healthycyberecosystemcoulddefendagainstafullspectrumofknownandemergingthreats,

includingattacks

against

the

supply

chain,

remote

network

based

attacks,

proximate

or

physical

attacks,andinsiderattacks; improvethereliabilityandresilienceofcriticalinfrastructures;and

betterassureprivacy,businessprocesses,andmissions.

BuildingBlocksforaHealthyCyberEcosystemBuildingBlock1:AutomationAutomatedCoursesofAction(ACOAs)arestrategiesthatincorporatedecisionsmadeand

actionstakeninresponsetocybersituations. Automationfreeshumanstodowhattheydo

wellthink,askquestions,andmakejudgmentsaboutcomplexsituations. Automationallows

thespeed

of

response

to

approach

the

speed

of

attack,

rather

than

relying

on

human

responses

toattacksthatareoccurringatmachinespeed. Withtheabilitytoexecuteatmachinespeed,

defenderscouldgetinsidetheturningcirclesordecisioncyclesofattackers. Further,

automationcouldmakeiteasiertoadoptandadaptneworprovensecuritysolutions.

OnepotentialinspirationforACOAsisthehumanimmunesystem,illustratedinFigure3.6

6 SeeImmunology,diversity,andhomeostasis:thepastandfutureofbiologicallyinspiredcomputerdefenses,

AnilSomayaji,JournalInformationSecurityTech.,Vol12,Issue4.September2007,

http://portal.acm.org/beta/citation.cfm?id=1324630,forausefulsurveyofthisfield.
http://portal.acm.org/beta/citation.cfm?id=1324630http://portal.acm.org/beta/citation.cfm?id=1324630


9/29

Figure3: OverviewofHumanImmuneSystem

Skin

1. Encapsulatingphysical

barrier

2. Detectionandearlywarning

(touch)

3. Antibacterial andantifungal

properties(e.g.,acids)

EntryPoints(e.g.,eyes,mouth,nose)

1. Trapsandfilters(e.g.,mucus,

mastcells)

2. Detectionandearlywarning

(smell,taste)

3. Antipathogenicproperties

(e.g.,tears,saliva)

InternalSystem(defendersandsignaling)1. Defendersarespecialists: patrollers,killers,

cleaners,orhelpers

2. Allcells

that

are

part

of

the

body

(self)

present

anidentifierthatisknowntodefenders

3. Patrollersdetectandcounterinvaders cellsthatdontpresentaknowngoodidentifieror

thathaveaknownbadidentifier(antigen)

4. Countermeasuresmaydisable toxicchemicalaction,preventmovementacrosscellwalls,or

destroytheinvader

5. Helperssoundthealertandactivaterapid

productionofmorepatrollersandkillers

6. Helpersguidekillersandcleanerstothedetectionsite

7. Patrollers,killers,

and

cleaners

also

flood

the

bloodstream,lookingforanyotherantigens

8. Helpersmayactivatesupplementarykill

mechanisms(e.g.fever)

9. Killerscauseinvadersandinfectedcellstodie

andcleanersengulfthem

10.Specializedpatrollersandkillersthatare

primedwiththeinvadersidentifierare

producedtorememberandprotectagainstfutureinvasions

1

2

3

Theinternalsystemisactuallytwointerrelatedsystems:onethatisstationaryandlocaltocells

(cellmediated)

and

one

that

is

global

to

the

entire

body,

moving

throughout

it

via

the

bloodstreamandlymphsystems(humoral). Eachoftheseinterrelatedsystemshasitsownlocus

forsustainment(e.g.,thymus,bonemarrow)andsophisticatedmechanismsforsynchronized

activity.7

8Ahealthycyberecosystemmightemployanautomationstrategyoffixedlocaldefenses

supportedbymobileandglobaldefensesatmultiplelevels. Suchastrategycouldenablethe

cyberecosystemtosustainitselfandsupportedmissionswhilefightingthroughattacks.

Furtheritcouldenabletheecosystemtocontinuouslystrengthenitselfagainstthecyber

equivalentofautoimmunedisorders. Forexample,withinanorganization,cyberdevicesthat

directlyprovideenduser,mission,orbusinessfunctionalitymightmaintainahighawarenessof

userbehavior,

expectations,

and

service

level

agreements,

be

tuned

to

sense

and

respond

to

usersituations,signallocaloruserlevelstatustoorganizationaldevices,andcorrelate

discoveriesandsynchronizeresponseswithorganizationaldevices.

7HumanPhysiology/TheImmuneSystem,http://en.wikibooks.org/wiki/Human_Physiology/The_Immune_System

8HowYourImmuneSystemWorks,http://health.howstuffworks.com/immunesystem.htm

March23,2011 9
http://en.wikibooks.org/wiki/Human_Physiology/The_Immune_Systemhttp://en.wikibooks.org/wiki/Human_Physiology/The_Immune_Systemhttp://health.howstuffworks.com/immune-system.htmhttp://health.howstuffworks.com/immune-system.htmhttp://health.howstuffworks.com/immune-system.htmhttp://health.howstuffworks.com/immune-system.htmhttp://health.howstuffworks.com/immune-system.htmhttp://en.wikibooks.org/wiki/Human_Physiology/The_Immune_System


10/29

March23,2011 10

Cyberdevicesthatprovideormanageorganizationwideconnectivityandservicesmightbe

tunedtosenseandrespondtoorganizationalsituations,signalorganizationalstatustouser

leveldevices,correlatediscoveriesandsynchronizeresponseswithuserleveldevices,and

providesupportoraugmentationtousersituations. Enforcementoforganizationalpolicies

suchasprivacyprotectioncouldbesynchronizedacrossuserandorganizationallevels.

Inaddition

to

the

ability

to

signal

and

synchronize

across

levels,

each

level

could

have

internal

synchronizationandanalysiscapabilities. Forexample,alldevicessupportingusers,orclasses

ofusers,couldshareafocusandconvergenceapproachthatwouldincludesecuritypolicies

andpooledanalyticresources,ascouldalldevicessupportingorganizationalservicesorclasses

ofservices. Inturn,anorganizationcouldshareinformationandcoordinateactivitiesor

synchronizeACOAswithalargerbusiness,political,orgeographicdomain,orwiththeworld

widecyberenvironment.

Cyberdevicesendowedwithstrongfeedforwardandfeedbacksignalingmechanismsthat

assumeandcanaccommodatecommunicationsfailuresandoperatinginanenvironmentwith

trustedendtoendidentificationandauthenticationofallparticipantswouldenjoya

heightenedability

to

observe,

record,

and

share

what

is

happening

to

and

around

them.

In

turn,theycould:

Proactivelytakepreventivemeasures;

Rejectrequeststhatdonotfittheprofileofwhatisgood,apriori,forthemselvesorthe

largercyberenvironment;

Sensemaliciousactorsandautonomouslyrefinetheevidencecapturedfordiagnosisor

insupportofthedevelopmentoffuturepreventionmethods;and

Autonomouslyenactdefensiveresponsesorevenbuildsuchresponsesinrealtime.9

Acompanion

source

of

inspiration

for

ACOAs

comes

from

the

public

health

sector,

although

for

manyprocessesinthisdomain,automationissomedistanceaway. Publichealthservices

conductpopulationhealthsurveillanceandreacttothreatstotheoverallhealthof

communities. ThestatedmissionoftheCentersforDiseasePreventionandControl(CDC)is:

tocollaboratetocreatetheexpertise,information,andtoolsthatpeopleandcommunities

needtoprotecttheirhealththroughhealthpromotion,preventionofdisease,injuryand

disability,andpreparednessfornewhealththreats.10

ThecyberequivalentofaCDCmight

performfunctionssuchasthefollowing:

Watch:Gatherdataoncyberthreatsandcybersecurityoutbreaksthatareanalogousto

theinformationaboutdiseasesreportedbyhealthcareproviders.

Datadissemination:Providedataaboutthespreadanddangerofthreatstohelp

communitiesandorganizationsplanprotectivemeasuresandresponses.

9 CyberLeapYearSummitCoChairsReport,

http://www.cyber.st.dhs.gov/docs/National_Cyber_Leap_Year_Summit_2009_CoChairs_Report.pdf10

TheCDCMission,http://www.cdc.gov/about/organization/mission.htm
http://www.cyber.st.dhs.gov/docs/National_Cyber_Leap_Year_Summit_2009_Co-Chairs_Report.pdfhttp://www.cyber.st.dhs.gov/docs/National_Cyber_Leap_Year_Summit_2009_Co-Chairs_Report.pdfhttp://www.cyber.st.dhs.gov/docs/National_Cyber_Leap_Year_Summit_2009_Co-Chairs_Report.pdfhttp://www.cdc.gov/about/organization/mission.htmhttp://www.cdc.gov/about/organization/mission.htmhttp://www.cdc.gov/about/organization/mission.htmhttp://www.cyber.st.dhs.gov/docs/National_Cyber_Leap_Year_Summit_2009_Co-Chairs_Report.pdf


11/29

March23,2011 11

Cyberthreatanalysis:Investigateanddiagnosecyberthreatsinthecommunity. Where

possible,verifyoutbreaksofnewcyberthreatsandunderstandthecauses,extentand

impactoftheseoutbreaks.

Interventionanalysisandrecommendations:Provideacost/benefitanalysisofpotential

interventionsandmakerecommendations.

Coordinationofpreventiveactions:Coordinateresponsestrategiesandtheirexecution,

forexample,theequivalentofquarantiningandvaccinationstrategiesorcyber

patrollingforfraud.11

BuildingBlock2: InteroperabilityInteroperabilityallowscybercommunitiestobedefinedbypoliciesratherthanbytechnical

constraintsandpermitscyberparticipantstocollaborateseamlesslyanddynamicallyin

automatedcommunitydefense. Interoperabilityenablescommonoperationalpicturesand

sharedsituationalawarenesstoemergeanddisseminaterapidly. Thecreationofnewkindsof

intelligence(such

as

fused

sensor

inputs),

coupled

with

rapid

learning

at

both

the

machine

and

thehumanlevels,couldfundamentallychangetheecosystem.

Unfortunately,withincybersecuritytoday,manyavailabledevices(e.g.,firewalls,fileintegrity

checkers,virusscanners,intrusiondetectionsystems,antimalwaresoftware)operate

independentlyandneitherexchangedatanorhaveconsistentsecuritypolicies. Eachofthem

mayhavebeendevelopedbyadifferentvendor,perhapsevencompetitors,withoutadherence

tointernationallyacceptedopenstandards. Inothercases,thestandardsarenotyetmature.

Thus,intodaysecosystem,collaborationispossiblebutdifficult. Wemustreachapointwhere

theonlybarrierstocollaborationacrossdevices,people,andorganizationsarethosewe

choosetoimposebypolicy,notthosethatareimposedonusbytechnology.

Threetypes

of

interoperability12

are

fundamental

to

integrating

the

many

disparate

participantsintoacomprehensivecyberdefensesystemthatcancreatenewintelligenceand

makeandimplementdecisionsatmachinespeed:

SemanticInteroperability.Theabilityofeachsendingpartytocommunicatedataand

havereceivingpartiesunderstandthemessageinthesenseintendedbythesending

party.

11 AnapproachthatisalsoinspiredbypublichealthmodelsisdescribedinCollectiveDefense:ApplyingPublic

healthModelstotheInternet

http://www.microsoft.com/mscorp/twc/endtoendtrust/vision/internethealth.aspx. Inthisapproach,accessto

otheronlineresourcesiscontingentuponthehealthofadevice. Devicesseekingaccessmustbeableto

demonstrategoodhealththroughatrustedhealthcertificate. Ifthedeviceshealthlevelisacceptable,then

accessisgranted. Ifasecurityconcernisidentified,thentheentitybeingpetitionedforaccess(anInternet

ServiceProvider,forexample)couldprovideanoticethatassiststheuserinaddressingthesecurityconcern,

renderadviceorassistance,ordirecttheusertoresourcesforremediation.12

NationalStrategyforTrustedIdentitiesinCyberspace(NSTIC)
http://www.microsoft.com/mscorp/twc/endtoendtrust/vision/internethealth.aspxhttp://www.microsoft.com/mscorp/twc/endtoendtrust/vision/internethealth.aspx


12/29

March23,2011 12

TechnicalInteroperability.Theabilityfordifferenttechnologiestocommunicateand

exchangedatabaseduponwelldefinedandwidelyadoptedinterfacestandards.

PolicyInteroperability.Commonbusinessprocessesrelatedtothetransmission,

receipt,andacceptanceofdataamongparticipants.

Withincybersecurity, all

three

types

of

interoperability

are

being

enabled

through

an

approach

thathasbeenrefinedoverthepastdecadebymanyinindustry,academia,andgovernment. It

isaninformationorientedapproach,generallyreferredtoas[cyber]securitycontent

automationandcomprisesthefollowingelements.13

Enumerations. Thesearelistsorcatalogsofthefundamentalentitiesofcybersecurity,

forexample,cyberdevicesandsoftwareitems(CPE);deviceandsoftware

configurations(CCE);publiclyknownweaknessesinarchitecture,design,orcode(CWE);

publiclyknownflawsorvulnerabilities(CVE);orpubliclyknownattackpatterns(CAPEC).

Enumerationsenablesemanticinteroperability.

LanguagesandFormats. Theseincorporateenumerationsandsupportthecreationof

machinereadable

security

state

assertions,

assessment

results,

audit

logs,

messages,

andreports. Examplesincludepatternsassociatedwithassets,configurations,

vulnerabilities,andsoftwarepatches(XCCDF&OVAL);securityannouncements(CAIF),

events(CEE),malware(MAEC);riskassociatedwithvulnerability(CVSS),sensor

collectionandcorrelation(ARF),andUSCERTsecuritybulletinsandincidentreports

(NIEM). Languagesandformatsenabletechnicalinteroperability.

KnowledgeRepositories. Thesecontainabroadcollectionofbestpractices,

benchmarks,profiles,standards,templates,checklists,tools,guidelines,rules,and

principles,amongothers.Inmanyrespects,knowledgerepositoriesserveasthe

cybersecuritycommunitymemoryandenablepolicyinteroperability. Examples

includeInformationAssuranceChecklistshousedontheNationalChecklistProgramwebsite(http://checklists.nist.gov/),DepartmentofDefenseSecurityTechnical

ImplementationGuides(STIGs),andvendorguides."

Figure4presentsahistoryofU.S.Governmentsupportedsecuritycontentautomationefforts

alongwithprojectedachievementsthrough2014. Projectionsarebasedoncurrentresourcing

andtheinterestsofalargelyvolunteerandselfdirectedcommunity. Figure4alsoillustrates

howstandardsbuilduponthemselvestoexpandfunctionalityovertime(e.g.,theexpansionof

configurationmanagementcapabilitiesfromdesktopstonetworks).

13SeetheGlossaryattheendofthispaperforthefullnameofthevariousnamedstandards.
http://checklists.nist.gov/http://checklists.nist.gov/


13/29

Figure4. HistoryandNearTermForecastofCyberSecurityAutomationStandardsDevelopmentA

March23,2011


14/29

Anotherwaytoapproachtheevolutionofcybersecuritycontentautomationisthroughastrategic

considerationofwhatisneededandpossible. Figure5presentsanarrayofsecurityfunctionsthat

canbetransformedbycontentautomationandexchange. Standardssupportingthefirstwave

areextantanddocumentedinNISTSP800126,TheTechnicalSpecificationfortheSecurity

ContentAutomationProtocol14

. Manyofthestandardsnecessarytosupportthesecondwaveare

indevelopment

now,

and

some

of

the

challenges

associated

with

bridging

the

two

waves

are

discussedlaterinthissection. Thethirdwaveidentifiesalogicalprogression. Aswiththe

historicaltransitionfromecommercetoebusiness,succeedingwavesbuildincapabilityand

becomemorestrategicinfocus.

Figure5:StrategicConsiderationofCyberSecurityContentAutomation

VulnerabilityAssessment

ConfigurationAssessment

ComplianceManagement

AssetInventory

MalwareAnalysis

StructuredThreat

Information

IncidentReporting

EnterpriseReporting

EventManagement

Remediation

NetworkDevice

Assessment

RemoteAssessment

SoftwareAssurance

Collaborativethreatintelligence

SensingandWarning

Response

Forensicsand

DamageAssessment

Recovery

ReconstitutionModelingandSimulation

SupplyChainAssurance

Architecture

Design

Engineering

Testing,attestation,

assuranceand

Thesuccessofanysinglefunctionandtheintegrationoffunctionswithinandacrosswaves

dependonsemantic,technical,andpolicyinteroperability. Thesethreetypesofinteroperability

arethemselvesinterdependent,andtheymatureaseachadaptstochangesintheother. Some

levelofsemanticinteroperabilitymustbeachievedandsomevisionofpolicy(orprocess)

interoperabilityisnecessaryinordertosuccessfullydevelopandemploytechnicalinteroperability.

AsimpleexamplewouldbethepublicationofUSCERTbulletinsinXMLblobs. Thetechnical

standards

must

be

underpinned

by

sender/receiver

agreement

on

the

meaning

of

the

content

and

byagreementonhowtheXMLstructuredbulletinsaretobereceivedandprocessed. Inturn,

achievementsintechnicalinteroperabilityenableadvancesinsemanticandpolicyinteroperability,

andtheseadvancestriggerfurtheradvancesintechnicalinteroperability.

14NISTSP800126Rev1,DRAFTTheTechnicalSpecificationfortheSecurityContentAutomationProtocol(SCAP):

SCAPVersion1.1,January11,2011,http://csrc.nist.gov/publications/PubsSPs.html

March23,2011 14
http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html


15/29

Advancesinsemanticandpolicyinteroperabilityalmostalwaysstartwithpersonsandprogressto

devices. Further,advancesininteroperabilityhaveshorttermadvantages. Forexample,thefirst

waveofsecuritycontentautomationisenablingtherecentfederalcommitmenttocontinuous

monitoring,andprogressinthesecondwave,combinedwithgainsachievedduringthefirstwave,

isenablingXMLbasedincidentreportingtotheUSCERT.

Thethree

waves

of

automated

security

functions

depicted

in

Figure

5can

be

summarized

as

progressalongthreeaxes:

Figure6: AxesofProgress

Axis Progression

Space Fromhoststonetworksandapplications

Time Fromstatictodynamic

Capability Fromconfigurationtointegratedpolicyandaudit

Athirdwaytoexaminecybersecuritycontentautomationisthroughthegeneralizedfunctional

modelinusebythestandardscommunity. AsillustratedinFigure7below,thesecurityfunctions

containedinthismodelgenerallyrepresentthefirstwaveplusaportionofthesecondwave.

Securitycontentautomationstandardsthatcanfacilitatetheexchangeofinformationwithand

amongfunctionsareannotatedadjacenttoeachfunction,input,oroutput.

March23,2011 15


16/29

Figure7: GeneralizedFunctionalModelInformingStandardsDevelopment

Thismodelislifecycleorientedandenterprise ororganizationfocused. Capabilitiesare

expectedtobuildononeanother(fromlefttoright). Eachfunction(e.g.,assetinventory,

configurationguidance

analysis,

vulnerability

analysis)

is

viewed

as

ablack

box

and

assumed

to

beprovidedbycurrentorfuturecommercialproducts. Integrationacrossfunctionsisalso

assumed. ThecurrentmodeldoesnotaddressformulationordynamicevolutionofACOAs;

however,itdoesprovideareasonablefoundationforACOAexecution.

Ingeneral,thefunctionscanbeorganizedintopreincidentdetection(assetinventory,

configurationguidanceanalysis,andvulnerabilityanalysisplusthreatanalysis)andpost

incidentdetection(intrusiondetectionandincidentmanagementplusthreatanalysis). This

organizingconstructalignswiththewavespresentedinFigure5above. Asillustrated,the

structuringofthreatinformationisasecondwaveactivity. Theefforttostandardizethreat

alertsandautomatethreatanalysismayprovemorecomplexthanprevioussecuritycontent

automationefforts

because

standardization

must:

Bridgethesetwooperationaldimensions(pre andpost incidentdetection);and

Addvalueforenterprisesthatlackautomatedcapabilitiesononesideortheother.

Inaddition,onthewhole,thepostincidentdetectionspaceislessstandardsbasedthanthe

preincidentdetectionspace. Advancesinsemanticandpolicyinteroperabilityregarding

March23,2011 16


17/29

whatconstitutesareportableincident,whatattributesbestsupportincidentmanagement,and

howtheseattributesaretobesourcedandsharedareneededtoadvancetechnicalstandards

andinteroperability.

BuildingBlock3:AuthenticationAuthentication

should

enable

trusted

online

decisions.

Nearly

every

decision

in

an

online

environmentinvolvesresourcesandactorsatadistance. Whenneededforadecision,

authenticationprovidesappropriateassurancethattheparticipantsareauthenticorgenuine,

anditshoulddosoinawaythatenhancesindividualprivacy. Inahealthyecosystem,

authenticationcouldextendbeyondpersonstoincludecyberdevices(e.g.,computers;

software,orinformation).

Authenticationiscriticaltocyberdefensebecausecommunicationsandcontentattributionare

essentialfactorsinsecuritydecisions. Authenticationisalsofoundationaltomanycapabilities

beyondcyberdefense.15

Inahealthy

cyber

ecosystem,

sending

and

receiving

parties

could

be

known

and

accountable

fortheiractions,butprotectanonymitywhereitmaybeneededtopreservethepurposeofthe

exchange. Consumersofsharedcyberawarenesscouldjudgethetrustworthinessofproviders

andtheircontributions,andproviderscouldconfirmthatrequestersareauthorizedaccessto

suchinformation. Authenticationmechanismscouldbestrongenoughtoprotectagainst

identitytheftandspoofing,whileatthesametimeremainaffordable,easytouseand

administer,scalable,andinteroperable. Theycouldalsobedesignedtoenhanceindividual

privacybyallowingvoluntary,optinregimes.

Commonauthenticationtechnologiesrelyon(1)somethingyouknow(e.g.,passwords),(2)

somethingyouhave(e.g.,digitalcredential),or(3)somethingyouare(e.g.,biometrics). Each

ofthese

technologies

has

characteristics

that

impact

security

strength,

affordability,

ease

of

use

andadministration,scalability,andinteroperability. Significantconsiderationsincludeeaseof

integrationintoemerginganddeployeddevicesandsoftwareapplicationsandeaseof

exchangeorfederationacrossnetworksandorganizations.

Unfortunately,intodaysmarket,systemdevelopersandownersfindfewifanytechnologies

thatdeliveronallfiveoperationalobjectives:security,affordability,easeofuseand

administration,scalability,andinteroperability. Theusualapproachistodivideupenterprises

andusepopulationstocontrolandvarytheobjectivethatgetsoptimized. Thiscreatesa

complexlandscapeofmultipleauthenticationtechnologieswithlimitedinteroperability,

vulnerablesecurityseams,andbarrierstobusinessororganizationalchange.

Ahealthy

cyber

ecosystem

could

have

standards

based

authentication

technologies

that

deliver

morecomprehensivelyacrossallfiveoperationalobjectives. Tosupportneartermdecisions,

consumerguidesthatratetechnologiesacrossallfiveobjectivesandassistsystemdevelopers

andownersinmakingphasedimprovementsandselectionscouldbeavailable. Forautomated

15. Foradditionaldetail,seethe NationalStrategyforTrustedIdentitiesinCyberspace,availableat

http://www.dhs.gov/xlibrary/assets/ns_tic.pdf

March23,2011 17
http://www.dhs.gov/xlibrary/assets/ns_tic.pdfhttp://www.dhs.gov/xlibrary/assets/ns_tic.pdf


18/29

cyberdefense,ahealthycyberecosystemcouldhavestrongstandardsbaseddevice

authentication,includingsmallandusuallywirelessdevicescomposingmassivelyscalablegrids.

Finally,ahealthyecosystemcouldhavebroadwaystoexpressandmanagetrustthatcombine

trustattributesaboutpeople,transactions,technology,andinformationintonewdecision

frameworksandmetrics. Suchframeworkscouldrecognizethattrustisnotabinaryorstatic

state,but

is

fluid

and

conditioned

upon

evolving

operational

and

environmental

factors.

KeyConceptsFocus,Convergence,andMaturityTheprevailingconstructforcybersecurityisillustratedinFigure8. Cybersecurityprocessesare

acombinationoflocalandglobalactivities.The

distribution of activities between local and

global may differ from process to process,

activitytoactivity,participanttoparticipant,or

event to event. The range of localtoglobalextendsfromthecircuitrywithinasinglecyber

device (e.g., a mobile phone, personal

computer, medical device, or electric grid

component) to distributed software

applications, data centers, networks, and

clouds. To successfully defend against active

andintelligentadversariesinsuchcomplexand

uncertain networked environments, current

thinking suggests the need for a new view of

command

and

control,

one

that

emphasizes

agility,focus,andconvergence:

Figure8. PrevailingCybersecurityConstruct

Inbrief,agilityisthecriticalcapabilitythatorganizationsneedtomeetthe

challengesofcomplexityanduncertainty;focusprovidesthecontextanddefines

thepurposesoftheendeavor;convergenceisthegoalseekingprocessthatguides

actionsandeffects.....Focusasareplacementforcommandspeaksdirectlyto

whatcommandismeanttoaccomplishwhilebeingagnosticwithrespecttothe

existenceofsomeoneinchargeorparticularlinesofauthority.Similarly,

convergencespeaksdirectlytowhatcontrol(theverb)ismeanttoachievewithout

assertingthatcontrolasaverbispossibleordesirable.16

Assuggested

earlier,

this

paper

focuses

primarily

on

how

networked

devices

can

become

actors

intheirownandthenetworksdefense.Toillustratearangeofcapabilitiesthatsuchdevices

16Agility,Focus,andConvergence:TheFutureofCommandandControl,DavidS.Alberts(OASDNII),The

InternationalC2Journal,Vol1,No1,2007,http://www.dodccrp.org/files/IC2J_v1n1_01_Alberts.pdf

March23,2011 18
http://www.dodccrp.org/files/IC2J_v1n1_01_Alberts.pdfhttp://www.dodccrp.org/files/IC2J_v1n1_01_Alberts.pdfhttp://www.dodccrp.org/files/IC2J_v1n1_01_Alberts.pdf


19/29

willbegintoembody,wepresentafivelevelmaturitymodelinFigure9.17

Themodelconsiders

FocusandConvergence(F&C)intermsofincreasingagility,thatis,effectivenessindealingwith

changeovertime. Aswithothermaturitymodels,Level5representsthehighestleveloffocus

andconvergence,whileLevel1representsthelowest. Thefivelevelmodelisnotanormative

scale. Thatis,Level5isnotalwaysbetterthanLevel3. Communitiesmayopttooperateat

lowerlevels

for

reasons

of

cost,

efficiency,

or

other

reasons.

Describing

the

ecosystem

in

terms

ofmultiplelevelshelpsillustrateanddemonstrateasystemshightolerancefordiversity,as

differentcommunitieswillinevitablyhavedifferentneedsandbeindifferentstagesof

evolutionatanygivenpointintime. Forexample,thereareanumberofoutdatedsystem

componentswithinthenationscriticalinfrastructurethatarenotabletointerfacewith

modernsystemsbutwillremainanimportantpartoftheecosysteminthenearterm. The

abilitytoleapfrogfromthislegacytechnologytoamoderncyberinfrastructureissomething

thatshouldbeexplored.

Figure9:FocusandConvergenceMaturityModelforNetworkedEnvironments

F&C

Maturity

Levels

Level5 EdgeF&C Characterizedbyarobustlynetworkedcollectionofdevices

havingwidespreadandeasyaccesstoinformation,sharing

informationextensively,interactinginarichandcontinuous

fashion,andhavingthebroadestpossibledistributionof

decisionrights. TheobjectiveofEdgeF&Cistoenablethe

communitytoselfsynchronizeinanagileandadaptable

manner.

Level4 Collaborative

F&C

Characterizedbymultipledevicesworkingtogethertowarda

commonpurpose

and

under

asingle,

shared

plan.

Involves

aconsiderabledelegationofdecisionrightstothecommunity.

Aimstodevelopsynergiesbynegotiatingandestablishing

sharedintentaswellasasharedsecuritypolicy,establishing

orreconfiguringroles,couplingactions,andbyengendering

arichsharingofresourcesandawareness.

Level3 Coordinated

F&C

Characterizedbymultipledevicesrelatedbymutualsupport

forintent,expressedaslinksbetweenandamongsecurity

policiesandactionsthatreinforceandenhanceeffectsalong

withsomepoolingofresourcesforspecifiedactivities.

Level2 Deconflicted

F&C

Characterizedbyapartitioningoftheproblemspaceamong

devicestoavoidadversecrosseffects. Establishmentand

maintenanceofthepartitionsrequireslimitedinformation

17AdaptedfromtheNorthAtlanticTreatyOrganization(NATO)NetworkEnabledCapability(NEC)C2Maturity

Model,February2010,www.dodccrp.org

March23,2011 19
http://www.dodccrp.org/http://www.dodccrp.org/


20/29

F&CMaturityLevels

sharingandinteractionamongdevices.

Level1 Isolated F&C Characterizedbyindividualdevicesexercisingfocusand

convergence

only

over

their

own

resources.

Hence,

there

is

nosharedobjective;neitheristhereinformationdistribution

noranyotherinteractionamongdevices.

Toconsiderhowsuchamodelmightbeapplied,aframeworkfordefiningandthinkingabout

thespaceofallpossibleF&Capproachesishelpful.ThreevariablesdefinetheessenceofF&C,

andthustheF&CApproachSpaceisillustratedinFigure10below.

Figure10: FocusandConvergence(F&C)ApproachSpace18

AsFigure10illustrates,anyfocusandconvergenceapproachmaybeviewedasafunctionof

threeinterrelateddimensions:

1. Theallocationofdecisionrightstothecommunity;

18NATONECC2MaturityModel

March23,2011 20


21/29

2. Thepatternsofinteractionthattakeplacebetweenandamongdevices;and

3. Thedistributionofinformationamongdevices.

Figure11summarizeshowthesethreedimensionsvaryamongtheF&Clevels.

Figure

11:

Dimensions

of

Focus

and

Convergence

19

Increasedagility(movingfromthebottomlefttotoprightwithintheF&Capproachspacein

Figure10)canbeviewedas:

Theabilityofdevicestoadopteverwiderrangesofapproaches;

Theabilityofdevicestorecognizeandadoptanappropriateapproach,whichis

determinedbythenatureofthesituationandhowitislikelytoevolve;and

Theabilityofdevicestochangeapproachesifnecessaryinatimelymanner.

ConsideringF&Cwithinanapproachspacealsosupportsagrowingrecognitionthattheremay

benosinglebestsystemdesignorconfiguration,nobestprocessforallsituationsand

circumstances. Ratherthanoptimization,theuncertaintyinthemissionspacecombinedwith

thediverseandinteractingeffectsofcountermeasuresandthecomplexityinherentin

collective

action

lead

to

a

need

for

agility.

This

might

mean

that

devices

routinely

operate

at

lowerlevelsofF&CforeconomybuthavetheabilitytoswitchtohigherlevelsofF&Cfor

selectedsituations. ItmightalsomeanthatroutineF&Clevelsvarybydevicesrolesor

locationswithintheecosystem.

19NATONECC2MaturityModel

March23,2011 21


22/29

Increasedagilityamongcyberdevicesisnecessarilydependentuponandexistsinsynchrony

withtheagilityoftheorganizationsthatownandoperatethemandthebusinessormission

processesthatconsumetheirservices. Thethreebuildingblocksdescribedearlier

automation,authenticationandinteroperabilityincreaseagilityandenablecollectivecyber

defense. Decisionrightsoriginatewithpersons,organizationsandbusinessprocesses;and

interoperabilityensures

that

any

delegation

to

cyber

devices

is

communicated

in

away

that

bothhumansandmachinescanunderstand. Automationprovidestheabilitytoactupon

delegateddecisionrightsatmachinespeed,andauthenticationallowsthedatanecessaryfora

givendecisiontobetrusted.

AttributesofaHealthyCyberEcosystemLookingattheecosystemthroughbuildingblocksandmaturitylevelshelpsenvisionhowa

healthyecosystemmightworkandhowitmightselfdefendthroughautomatedcollective

action. Thissectionbeginstoexaminethedesiredendstate. Whatmightbedifferentina

healthyecosystem? Whatmightbethevalueadded?

Inahealthy

cyber

ecosystem,

we

might

find:

Informationconnectedacrossspaceandtime. Informationdiscoveredorcreatedinonepartoftheecosystemconveysrapidlytoothersratherthanbeingsiloed,e.g.,

informationispreservedinwaysthathelpdiscoverpatternsovertimeandcanbe

configuredtoprotectPersonallyIdentifiableInformation(PII)andothersensitive

data.

Rapidandessentiallyuniversallearning. Machineslearnfromeachotherand

peoplelearnfrommachines.

Greaterattribution. Machinesandhumansworktogethertoimproveattribution

whereneeded

while

enhancing

privacy.

Newanalytics. Datafrommultiple,otherwisediscretesources(e.g.,sensors,red

teams,troubletickets)arefused,aggregatedorotherwisetransformedtocreate

newintelligence.

Greaternetworkreach. Securitycontentisseparatedfromdeliverymechanisms

andmanagedasanecosystemasset. EarlierresearchinTailoredTrustworthy

Spaces20

resultsinpowerfulnewwaystoworkacrossmultipletrustorclassification

levels.

Newdefensivetactics. EarlierresearchinMovingTargetDefense21,combinedwith

sharedsecurity

policies

and

new

intelligence,

enables

new

courses

of

action

such

as

dynamicnetworkingoruncertainty. Inotherwords,attacksonlyworkonce(i.e.one

victimoronedevice)ifatall.

20FederalCybersecurityGamechangeResearchandDevelopment(R&D)Themes,

http://cybersecurity.nitrd.gov/page/federalcybersecurity121

FederalCybersecurityGamechangeResearchandDevelopment(R&D)Themes

March23,2011 22
http://cybersecurity.nitrd.gov/page/federal-cybersecurity-1http://cybersecurity.nitrd.gov/page/federal-cybersecurity-1http://cybersecurity.nitrd.gov/page/federal-cybersecurity-1http://cybersecurity.nitrd.gov/page/federal-cybersecurity-1http://cybersecurity.nitrd.gov/page/federal-cybersecurity-1http://cybersecurity.nitrd.gov/page/federal-cybersecurity-1


23/29

LifecycleFeedback. Richfeedbackloopsfromoperationsintothefrontendofsystemandtechnologylifecyclesreducecosts,shortenadoptioncycles,and

improveecosystemhealth.

Anotherwaytoexaminethedesiredendstateisthroughthequalitiesorattributesthebuilding

blocksmighthelpcreate. Ahealthycyberecosystemmightbe:

Inclusive. Encompassingcapabilitiesembeddedinaneverwideningwebthat

extendsfarbeyondtraditionalnotionsofthepublicInternetorofinformation

technology(IT)andservices. AhealthycyberecosystemwouldincludetheSmart

GridwithitsenergycontrolledhomenetworksandIPaddressableappliances,the

nextgenerationoftheNationalAirspaceSystemwhichtakesadvantageofsatellite

capabilities,andthelargenumberoflegacydevicesandcontrolsystemswhichmust

interoperatewiththenewesttechnologies.

Effective. Abletodefendagainstalltypesofcyberthreats,includingsupplychainattacks;remoteornetworkbasedattacks,includingthoselaunchedbysophisticated

andwell

resourced

attackers

using

persistent

methods;

proximate

or

physical

attacksoradverseevents;andinsiderordisgruntledemployeeattacks.

Smart. Abletosensetheenvironment,recognizepatterns,andshareinformationinnearrealtimeacrosssectorsandcommunitiesatboththehumanandmachine

levelsinordertoassureauthorizedtransactions,preventthemostserioussecurity

breachesandincreaseresponseeffectivenesswhenbreachesorotheradverse

eventsdooccur.

Barrierfree. Havingsecuritychoicesinstantiatedinconfigurabledigitalpoliciesratherthanbeinghardwiredinnetworkorsystemdesignsorimposedby

technologylimitationsorshortfalls. Designerswoulddesignwiththeassumption

thateverything

will

be

shared

with

everyone,

and

the

only

barriers

to

collaboration

wouldbethoseimposedbypolicy.

Optimized. Havingcapabilitiesanddecisionmakingallocatedamonghumansandmachinessoastobestleveragethestrengthsandcycletimesofeach,consistent

withmaintainingagility. Further,havingcyberdefenseorganizedsothatmachines

defendagainstmachinesandpeopledefendagainstpeople.

Understandable. Havingsecurityexpressedinuserorstakeholdertermsratherthaninspecializedsecurityjargonandrecognizingthateveryoneisacybersecurity

stakeholder. Forexample,stakeholdersmightwantglobalvisibilityintothecyber

environment,theabilitytoquerytheenvironmentandgetbackahighfidelity

answer,andtheabilitytorationalizesecuritycosts.

Assured. Abletosustainconsumerconfidenceovertime. Thismightmeanmovingbeyondtraditionalsecuritynotionsofpreventingunwantedtransactionsto

ensuringtherighttransactionsoccur,whichcouldcontributemorebroadlytoa

senseofconsumersafetyandtrustinsectoroperationsfortransportation,energy,

health,etc.

March23,2011 23


24/29

Usable. Havingassembly,configuration,operational,andperformancepropertiesthatarestraightforwardandwellbehaving,ratherthanoverwhelmingly

complicated,brittle,anderrorprone.

AttributesofHealthyParticipantsJust

as

healthy

individuals

are

essential

to

healthy

communities,

healthy

participants

are

essentialtoahealthycyberecosystem. Cyberecosystemparticipantsincludepersons(both

individualsandentities),devices,andprocesses.

Personswhoareunhealthycyberparticipantsmightlackawarenessorskills,ortheymaynot

bewhotheyclaim. Personswhoarehealthycyberparticipantsmighthavecontinuingaccess

toarangeofeducation,trainingandawarenessopportunities,includingbutnotlimitedto

exercises,simulations,andfullyimmersivelearningenvironments. Further,theymighthave

validatedskillsthathavebeencodifiedfortheiroccupationsorpositionsandstronglyproofed

cyberidentities.

Unhealthycyber

devices

(computers,

software,

and

communications

technologies)

lack

awareness,functionality,orcapacityorfeaturepurposefuldeceptions. Healthycyberdevices

are:

SelfAware. Havingtheabilitytocollectinformationaboutsecurityproperties,draw

conclusions,andreportoractupontheconclusions.

UserAware. Havingtheabilitytocollectorreceiveandprocessinformationabout

supportedusers,missions,orbusinessprocessesorassignedroleinalargercyber

infrastructureplusabilitytodrawconclusions,reportoractupontheconclusions,and

implementpoliciesthatassureuserprivacy.

Environmentally

Aware.

Having

the

ability

to

collect

or

receive

and

process

information

aboutthesecurityofsurroundingcyberdevicesofinterestorthecyberenvironment,

drawconclusions,andreportoractupontheconclusions.

Smart. Havingtheabilitytoretrospectivelyexamineeventsandassociatedresponses,

correlatehistoricalpatternswithcurrentstatusdata,andeitherselectfromarangeof

ACOAsorformulateanewACOA. ExamplesofACOAsthatmaybedeployedinnearreal

timeincludefilteringorreroutingtraffic,cordoningoffportionsofthenetworkor

applications,changingaccesslevels,reconfiguringassets,andquarantiningusers.

AutonomouslyReacting. HavingtheabilitytoinitiateanACOA.

Dynamic.

Having

the

ability

to

alter

appearance

or

persona.

Ideally,

alterations

are

enactedoncycletimesthatareshorterthantargetacquisitionandattackexecution

times. Forexample,todayssystemstendtorelyonselectedsystemparametersfor

security,suchasdurationoftimeoutsorcorruptionthresholds. Typically,these

parametersarechoseninadvanceandfixedforthelifetimeofthesystem. Future

devicescouldmaketheseparametersvariable. Additionallyoralternatively,

virtualizationcouldbeemployedtoprojectmultipledecoysystemstoconfuseattackers

andtofrequentlyrollbackactualsystemstoaknowngoodstateinordertoobviate

March23,2011 24


25/29

Collaborative.Havingtheabilitytoworkinpartnershipwithotherparticipantstocollectandassesssecurityinformation,andselect,formulate,oralteranACOAintendedto

counteranattackorsustainpriorityservices.

Heterogeneous. Havingtheabilitytocollaboratewithotherparticipantsusinga

commoncommunicationschanneldespitedifferencesinaffiliation,securitypoliciesor

servicelevelagreements.

Diversifying. Havingtheabilitytosensetheappearanceorpersonaofsurrounding

devicesandtomakeoneselfdifferentfromotherdevices.

Resilient. Forcyberdefensepurposes,havingsufficientcapacitytosimultaneously

collectorreceiveandassesssecurityinformation,executeanyACOA,makealterations

totheACOAasneeded,andsustainagreeduponservicelevels.

Trustworthy.

Performingas

expected

and

only

as

expected

despite

environmental

disruption,userandoperatorerrors,andattacksbyhostileparties. Threeapproaches

forachievingtrustworthinessaresoftwareassurance22

,hardwareenabledtrust(e.g.,

TrustedComputingGroupbasedtechnologies,associatedsystemarchitecturessuchas

NetworkAdmissionControlorTrustedNetworkConnectionandtrustedvirtualization)

anddataprovenance(e.g.,metadatatagsandlabelscontainingidentity,origin,and

transformationhistory).

Unhealthyinformationexchangesshouldbeexpensiveordifficulttoadapt. Ortheymightbe

easilycompromised,disrupted,orcorrupted. Healthyinformationexchangesare:

Secure. Secureexchangesarethoseinwhichtheidentitiesofallparticipantsinan

exchangeare

authenticated,

appropriate

digital

identities

and

minimum

attribute

data

areasserted,andthevulnerabilityofanycommunicationsintheexchangeto

unauthorizedinterception,diversion,access,use,modificationordisclosureis

minimized23

.

EnvironmentallySustainable. Environmentallysustainableexchangesarestructuredforthemostrationaluseofcyberresources(leasteffort),arebandwidthfriendly,easy

toadminister,andeasytoachieve(forexample,arebroadlyincorporatedinto

commercialsolutions).

Rapidlycustomizable. Rapidlycustomizableexchangesareenabledbyuser

configurableprofiles,

parameters

and

rules

and

by

open

application

programming

interfaces(APIs).

22DHSSoftwareAssuranceProgram,https://buildsecurityin.uscert.gov/swa/

23NationalStrategyforTrustedIdentitiesinCyberspace(NSTIC)

March23,2011 25


26/29

Lightweightandlooselycoupled. Lightweightandlooselycoupledexchangesarethose

thatareachievablewithexistinginfrastructureandwithminorupgradestoexisting

toolsandservices,ratherthanthroughapproachesthatrequireextensiveredesign.

Ecosystemgeneratedvalue,desiredecosystemandparticipantattributes,andecosystem

buildingblocksallworktogether. Forexample,anecosystemwiththeabilitytomake

automatedadjustmentstoconfigurationinresponsetotrustchoiceswouldofferincreasedreliabilityandresilienceforsupportedbusiness,socialandcivicprocesseswhileimprovingthe

privacyandcivillibertiesofusers. Anecosystemwithsuchabilitieswouldalsobeself

defending. Aselfdefendingecosystemwithhumaninvolvementcouldforceattackerstotake

morerisksandbemoreexposed. Theseactivities,combinedwithgreaterattribution,could

enablelawenforcementorotherdeterrencetobemoreeffective. Ahealthyecosystem,in

otherwords,mutuallyreinforcessecurity,usability,reliability,andtheprotectionofprivacyand

civilliberties.

IncentivesandAdoptionWeknowtodaythatusersarenotroutinelycomplyingwithcyberbestpracticesand

configurationguidelines. Adoptionofsecuritystandardsisdecidedlyslow,andearlyindications

arethatcybersecuritycontinuousmonitoringwillfaceimpedimentstoadoption.Thisindicates

animbalanceofincentives,wherebydefendersarenotincented,butattackersare.

Apersistentchallengeintodaysecosystemistheinabilitytoestablishlevelofharmasaresult

ofacyberincidentbeitlossofintellectualproperty,privacy,consumerconfidence,business

opportunity,oressentialservices. Suchinabilitymaybedueinparttoalackofagreementon

howtoestablishextentinahighlyinterconnectedenvironmentaswellashowtomeasure,

validate,andcommunicateeffects. Itmayalsobedueinparttoalackoftrust,whichimpedes

information

sharing

and

collaboration.

Earlier,thispaperproposedtypesofactivitiesthatmightbeassociatedwithanappropriately

automatedanddistributedCyberCDCthatperformsthreatandincidentwatch,data

dissemination,threatanalysis,interventionanalysisandrecommendations,andcoordinationof

preventiveactions. Inadditiontopromotingcyberhealthamongcommunities,sucha

capabilitycouldprovidevendorsandsystemownerswiththeinformationandinsightneeded

todiagnoseproblemsandevaluateoptionsforneworimprovedcapabilities. Onewaytoget

startedisthroughincreasedsharingofanonymizedcyberincidentandmitigationdata.

Aggregationandanalysisofsuchdatamightleadtoanimprovedabilitytoshowhow

investmentsincyberhealthcanreduceoperatingcosts,improvebusinessagility,oravoid

extensive

mitigation

costs

(e.g.,

the

cost

of

data

leakage

protection

software

compared

with

thecostofmitigatinglargescaleidentityinformationdisclosure). Suchinsightswouldlikely

strengthenconsumerdemandforhealthyproductsandservicesandreducerisksto

participants.

March23,2011 26


27/29

WayAheadWhilethispaperhaspresentedacomprehensiveviewofahealthycyberecosystem,thereare

manyopenquestions.Onthemoretechnicalside,theyinclude: Cantheongoingworkon

securitycontentautomationberepurposedforselfdefense? Willcommercialproducts

conformto

open

standards?

To

what

extent

can

focus,

convergence,

and

agility

be

decentralizedtocybersystemsinanautonomic(i.e.,selfmanaging)fashion? Canautonomic

defensesscaletoencompasslargescale,distributedandmultidomainenvironments(e.g.,

mobiletelephony,IPbasednetworks,andcomputingplatforms),andifso,whatelementsof

trustwouldberequired?

Moreover,thepathtosuccessfulrealizationisunclear.Whatarethebusinessdriversthatwill

incentthenecessaryinvestments?Whataretheappropriaterolesandresponsibilitiesofthe

publicandprivatesectorindeliveringthehealthyecosystem?Whichelementsshouldbe

prioritizedforearlyrealization?

Asahealthycyberecosystememerges,governancequestionsbecomesalient.Willsystem

ownerscede

decision

making

to

the

community?

Who

sets

policy

for

inter

enterprise

informationexchangeanddeploymentofcountermeasures? Whatliabilityregimesapplyfor

collateralconsequencesofcountermeasuredeployment(orthefailuretodeployknown

countermeasures)? Whatlegalauthoritiesshouldlocalandnationalgovernments,aswellas

internationalentities,havetocompelactionbydevicesownedbyorservingprivatepartiesin

ordertosecurethelargercybercommons?

Clearlythefieldisripeforplanningandaction.Theauthorswelcomefeedbackonthispaper,

andcommentonallaspectsoftheproblem. Wearecontinuingourownanalysis,andweplan

topublishourfindings,togetherwithyourfeedback([email protected]),inasequel

paperandaproposedactionplanthat,ataminimum,identifieskeygamechanginginitiatives

foreach

of

the

three

building

blocks.

Potential

game

changing

initiatives

might

include:

Piloting,demonstration,andrapidpromulgationofcommunityandintercommunity

ACOAsforcollectivedefense

Piloting,demonstration,andrapidpromulgationofsecuritycontentautomation

standardsforfunctionsdescribedinthesecondandthirdwavesofFigure5

BuildinguponthedraftNSTICtoachievestandardsbaseddeviceauthentication,

includingsmallandoftenwirelessdevicescomposingmassivelyscalablegrids.

March23,2011 27
mailto:[email protected]:[email protected]


28/29

GlossaryGeneralTerms

Cyberdevices

is

ageneral

term

used

to

refer

to

computers;

software

systems,

applications

orservices;electroniccommunicationssystems,networks,orservices;andthe

informationcontainedtherein.

Cyberparticipantsreferstopeople,processes,anddevices.

Informationstructuringreferstomethodsandstandardsthatorganizedataintocomponentsandrelationships. AgeneralexampleofstructuredinformationisaUnited

Statesaddress. Itscomponentsarestreetnumber,streetname,city,state,andzipcode.

Stateshavefixedtwodigitcodenamesandzipcodeshaveaspecifiedfive orninedigit

format. AnexampleofstructuredcybersecurityinformationisCommonPlatform

Enumeration

(CPE),

a

naming

scheme

for

some

elements

of

cyber

systems.

The

top

level

componentsofaCPEareplatformname,hardwareparts,operatingsystemparts,and

applicationparts. Structuredcybersecurityinformationisnecessarytoautomate

activitiesthatidentifyandmanagecyberdevicesandtheircomponents,describeand

managesecurityconfigurationsandvulnerabilities,identifyandtrackattackersandattack

tools(e.g.,maliciouscodeorbotnets),detectanddescribeeventsandattacks,express

andexecutecybersecuritypoliciesorcoursesofaction,describeandprovidenoticeof

cyberposture,andsoon.

Cyberinformationexchangereferstosharingrelationshipsandprotocolsthatallowcyber

participantstopublishandsubscribe,signal,orrequestandrespondwithcybersecurity

information

using

consistent

semantics.

StandardsAcronyms

ARF AssessmentResultsFormat

CAIF CommonAnnouncementInterchangeFormat

CAPEC CommonAttackPatternEnumerationandClassification

CCE CommonConfigurationEnumeration

CEE CommonEventExpression

CPE CommonPlatformEnumeration

CVE CommonVulnerabilitiesandExposures

CVSS CommonVulnerabilityScoringSystem

CWE CommonWeaknessEnumeration

IDMEF

IntrusionDetection

Message

Exchange

Format

IODEF IncidentObjectDescriptionandExchangeFormat

MAEC MalwareAttributeEnumerationandCharacterization

NIEM NationalInformationExchangeModel

OVAL OpenVulnerabilityandAssessmentLanguage

SecDEF SecurityDescriptionandExchangeFormat

XCCDF ExtensibleConfigurationChecklistDescriptionFormat

March23,2011 28


29/29

DHS nppd-cyber-ecosystem-white-paper-03-23-2011.pdf

Documents

Transcript of DHS nppd-cyber-ecosystem-white-paper-03-23-2011.pdf